libarchive: fix segfault for broken cpio archives

Resolves: rhbz#1216891, rhbz#1216892 Version: 3.1.2-12
2015-04-29 10:28:31 +02:00 · 2015-04-29 10:28:31 +02:00 · e7c1099e9a
commit e7c1099e9a
parent d46b2e13a5
2 changed files with 127 additions and 1 deletions
--- a/libarchive-3.1.2-security-rhbz-1216891.patch
+++ b/libarchive-3.1.2-security-rhbz-1216891.patch
@ -0,0 +1,119 @@
+From df29aeb7db98d227aea966b18261e5c1d97d223a Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Wed, 29 Apr 2015 10:23:01 +0200
+Subject: [PATCH] Upstream 3865cf2bc e6c9668f 24f5de65 --- From: Tim Kientzle
+ <kientzle@acm.org> Date: Fri, 30 Jan 2015 23:54:19 -0800 Subject: [PATCH]
+ Issue 394: Segfault when reading malformed     old-style cpio archives
+
+Root cause here was an implicit cast that resulted in
+reading very large file sizes as negative numbers.
+
+---
+From: Tim Kientzle <kientzle@acm.org>
+Date: Fri, 30 Jan 2015 23:57:03 -0800
+Subject: [PATCH] Add a check to archive_read_filter_consume to
+    reject any attempts to move the file pointer by a negative
+    amount.
+
+Note:  Either this or commit 3865cf2 provides a fix for
+Issue 394.
+
+---
+From: Tim Kientzle <kientzle@acm.org>
+Date: Fri, 6 Feb 2015 22:07:16 -0800
+Subject: [PATCH] Set a proper error message if we hit end-of-file
+    when trying to read a cpio header.
+
+Suggested by Issue #395, although the actual problem there
+seems to have been the same as Issue #394.
+---
+ libarchive/archive_read.c                     |  2 ++
+ libarchive/archive_read_support_format_cpio.c | 22 ++++++++++++++--------
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c
+index 048c316..7f3edc1 100644
+--- a/libarchive/archive_read.c
+++ b/libarchive/archive_read.c
+@@ -1394,6 +1394,8 @@ __archive_read_filter_consume(struct archive_read_filter * filter,
+ {
+ 	int64_t skipped;
+ 
+	if (request < 0)
+		return ARCHIVE_FATAL;
+ 	if (request == 0)
+ 		return 0;
+ 
+diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
+index 819f4a4..1dabc47 100644
+--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
+@@ -198,7 +198,7 @@ static int	archive_read_format_cpio_read_data(struct archive_read *,
+ static int	archive_read_format_cpio_read_header(struct archive_read *,
+ 		    struct archive_entry *);
+ static int	archive_read_format_cpio_skip(struct archive_read *);
+-static int	be4(const unsigned char *);
+static int64_t	be4(const unsigned char *);
+ static int	find_odc_header(struct archive_read *);
+ static int	find_newc_header(struct archive_read *);
+ static int	header_bin_be(struct archive_read *, struct cpio *,
+@@ -213,7 +213,7 @@ static int	header_afiol(struct archive_read *, struct cpio *,
+ 		    struct archive_entry *, size_t *, size_t *);
+ static int	is_octal(const char *, size_t);
+ static int	is_hex(const char *, size_t);
+-static int	le4(const unsigned char *);
+static int64_t	le4(const unsigned char *);
+ static int	record_hardlink(struct archive_read *a,
+ 		    struct cpio *cpio, struct archive_entry *entry);
+ 
+@@ -864,8 +864,11 @@ header_bin_le(struct archive_read *a, struct cpio *cpio,
+ 
+ 	/* Read fixed-size portion of header. */
+ 	h = __archive_read_ahead(a, bin_header_size, NULL);
+-	if (h == NULL)
+	if (h == NULL) {
+	    archive_set_error(&a->archive, 0,
+		"End of file trying to read next cpio header");
+ 	    return (ARCHIVE_FATAL);
+	}
+ 
+ 	/* Parse out binary fields. */
+ 	header = (const unsigned char *)h;
+@@ -900,8 +903,11 @@ header_bin_be(struct archive_read *a, struct cpio *cpio,
+ 
+ 	/* Read fixed-size portion of header. */
+ 	h = __archive_read_ahead(a, bin_header_size, NULL);
+-	if (h == NULL)
+	if (h == NULL) {
+	    archive_set_error(&a->archive, 0,
+		"End of file trying to read next cpio header");
+ 	    return (ARCHIVE_FATAL);
+	}
+ 
+ 	/* Parse out binary fields. */
+ 	header = (const unsigned char *)h;
+@@ -944,17 +950,17 @@ archive_read_format_cpio_cleanup(struct archive_read *a)
+ 	return (ARCHIVE_OK);
+ }
+ 
+-static int
+static int64_t
+ le4(const unsigned char *p)
+ {
+-	return ((p[0]<<16) + (p[1]<<24) + (p[2]<<0) + (p[3]<<8));
+	return ((p[0] << 16) + (((int64_t)p[1]) << 24) + (p[2] << 0) + (p[3] << 8));
+ }
+ 
+ 
+-static int
+static int64_t
+ be4(const unsigned char *p)
+ {
+-	return ((p[0]<<24) + (p[1]<<16) + (p[2]<<8) + (p[3]));
+	return ((((int64_t)p[0]) << 24) + (p[1] << 16) + (p[2] << 8) + (p[3]));
+ }
+ 
+ /*
+-- 
+2.1.0
+
--- a/libarchive.spec
+++ b/libarchive.spec
@ -1,6 +1,6 @@
 Name:           libarchive
 Version:        3.1.2
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        A library for handling streaming archive formats

 Group:          System Environment/Libraries
@ -32,6 +32,9 @@ Patch1: libarchive-3.1.2-testsuite.patch

 Patch2: libarchive-3.1.2-acl.patch

+# ~> upstream patches: 3865cf2b e6c9668f 24f5de65
+Patch3: libarchive-3.1.2-security-rhbz-1216891.patch
+
 %description
 Libarchive is a programming library that can create and read several different
 streaming archive formats, including most popular tar variants, several cpio
@ -77,6 +80,7 @@ libarchive packages.
 # fix not working saving/restoring acl
 # ~> downstream
 %patch2 -p1 -b .fix-acl
+%patch3 -p1 -b .segfault-cpio


 %build
@ -175,6 +179,9 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Wed Apr 29 2015 Pavel Raiskup <praiskup@redhat.com> - 3.1.2-12
+- fix libarchive segfault for intentionally broken cpio archives (rhbz#1216892)
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.1.2-11
 - Rebuilt for Fedora 23 Change
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code